package com.atzly.community.config;

import com.atzly.community.constant.CommentConstant;
import com.atzly.community.utils.CommunityUtils;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

import java.io.PrintWriter;

/**  security安全权限设置
 *  授权
 *  csrf
 * @author zlysimida
 * @date 2021/9/3 - 12:53
 */
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter implements CommentConstant {

    // 不拦截资源配置
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/resources/**");
    }

    // 进行授权设置
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // 设置访问路径和权限
        http.authorizeRequests()
                .antMatchers(
                "/user/setting/**",
                        "/user/upload",
                        "/user/header/**",
                        "/user/profile/**",
                        "/search/**",
                        "/message/detail/**",
                        "/message/send",
                        "/message/notify/**",
                        "/like/**",
                        "/follow/**",
                        "/discuss/add",
                        "/comment/add/**"
                )
                .hasAnyAuthority(
                        AUTHORITY_USER, AUTHORITY_ADMIN, AUTHORITY_MODERATOR
                )
                .antMatchers(
                        "/discuss/digest", "/discuss/top"
                )
                .hasAnyAuthority(
                        AUTHORITY_MODERATOR
                )
                .antMatchers(
                        "/discuss/delete",
                        "/minitor/**",
                        "/actuator/**"
                )
                .hasAnyAuthority(AUTHORITY_ADMIN)
                // csrf跨站请求伪造(security默认对非异步请求进行csrf验证
                // 自动生成令牌(_csrf)以及相应的值对用户进行验证)
                // 异步请求需要在页面自行处理
                // 可以关闭csrf验证功能
                .anyRequest().permitAll().and().csrf().disable();




        // 权限不足时的处理
        http.exceptionHandling()
                // 没有登录处理
                .authenticationEntryPoint((request, response, e) -> {
                    String xRequestedWith = request.getHeader("x-requested-with");
                    if ("XMLHttpRequest".equals(xRequestedWith)){
                        // 异步请求
                        response.setContentType("application/plain;charset=utf-8");
                        PrintWriter writer = response.getWriter();
                        writer.write(CommunityUtils.JsontoString(403,"你还没有登录哦!"));
                    } else {
                        // 普通请求
                        response.sendRedirect(request.getContextPath() + "/login");
                    }
                })
                // 登录后权限不足时的时成立
                .accessDeniedHandler((request, response, e) -> {
                    String xRequestedWith = request.getHeader("x-requested-with");
                    if("XMLHttpRequest".equals(xRequestedWith)){
                        response.setContentType("application/plain;charset=utf-8");
                        PrintWriter writer = response.getWriter();
                        writer.write(CommunityUtils.JsontoString(403,"您的权限不足哦!"));
                    } else {
                        response.sendRedirect(request.getContextPath() + "/denied");
                    }
                });

        // 修改默认的退出页面(欺骗security不进行自己的逻辑)
        http.logout().logoutUrl("/security/logout");

    }
}
